Has anyone created a “Trusted Root CA” (root-ca.crt) that is not recognized by the client computer? I followed the guide for this poc to get the cert:
I did change the name (sblast.lab.local) but everything is the same ....when I import it:
The docs states there should not be any issues and look like this:
Any ideas how to resolve it or find another means to get a working “Trusted Root CA"? I also saw SK 113599 but decided to use this doc.
Ed
Here are the exact steps and file.
6.1 Create a CA certificate
Login to the SB appliances via SSH and follow these steps:
(sba_openssl.cnf might be completely omitted if you use FQDN throughout all SBA config steps)
Ignore all warning outputs you get when running the cpopenssl commands 🙂
1) Create /tmp/sba_openssl.cnf (change CN, DNS and IP according to your SB appliance settings) and insert this content:
[ req ]
prompt = no default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = req_ext
[ req_distinguished_name ]
C=DE
ST=BY
O=CP
OU=SB
CN=sblast.lab.local
[ req_ext ]
subjectAltName = @alternate_names
[alternate_names]
DNS.1=sblast.lab.local
DNS.2=10.200.75.50
IP.1=10.200.75.50
2) Create CA private key
# cpopenssl genrsa -aes256 –out ca-root.key 2048
3) Create CA certificate
# cpopenssl req -x509 -new -nodes -extensions v3_ca -key ca-root.key -days 1024 -out ca-root.crt -sha512 -config /var/opt/CPshrd-R77/conf/openssl.cnf
Be sure to set the common name to your domain only. Common Name (e.g. server FQDN or YOUR name) []: lab.local
6.2 Create SandBlast UserCheck certificate
1) Create Server private key
# cpopenssl genrsa -out sblast.local.key 4096
2) Create certificate signing request
# cpopenssl req -new -key sblast.lab.local.key -sha512 -subj "/C=DE/ST=BY/O=CheckPoint/CN=sblast.lab.local" -config /tmp/sba_openssl.cnf -out sblast.lab.local.csr
3) Create server public certificate
# cpopenssl x509 -req -in sblast.lab.local.csr -CA ca-root.crt -CAkey ca-root.key -CAcreateserial -extensions req_ext -extfile /tmp/sba_openssl.cnf -out sblast.lab.local.crt -days 365 -sha512
4) Convert server certificate to PKCS#12
# cpopenssl pkcs12 -export -in sblast.lab.local.crt -inkey sblast.lab.local.key -out sblast.lab.local.p12 -certfile ca-root.crt
==============================
NOTE: I think the problem might the "RED" font area.
The two important files are "R7730TE.lab.local.p12" and ca-root.crt. It's the ca-root.crt that I'm installing on my labtop/client.
Hi Pedro. Thanks for the quick reply. That's exactly what I'm thinking and last night spend some time trying to review the steps in the command. It looks like it does read off it too... Here is the actual file (sba_openssl.cnf) that is initially setup. Once I run the commands and generate the cert it ask me for C, ST, O...etc. and I was entering diff info but tried to match them last night but no luck.
I'll look into the area you suggested and follow up.
Here are the exact steps and file.
6.1 Create a CA certificate
Login to the SB appliances via SSH and follow these steps:
(sba_openssl.cnf might be completely omitted if you use FQDN throughout all SBA config steps)
Ignore all warning outputs you get when running the cpopenssl commands 🙂
1) Create /tmp/sba_openssl.cnf (change CN, DNS and IP according to your SB appliance settings) and insert this content:
[ req ]
prompt = no default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = req_ext
[ req_distinguished_name ]
C=DE
ST=BY
O=CP
OU=SB
CN=sblast.lab.local
[ req_ext ]
subjectAltName = @alternate_names
[alternate_names]
DNS.1=sblast.lab.local
DNS.2=10.200.75.50
IP.1=10.200.75.50
2) Create CA private key
# cpopenssl genrsa -aes256 –out ca-root.key 2048
3) Create CA certificate
# cpopenssl req -x509 -new -nodes -extensions v3_ca -key ca-root.key -days 1024 -out ca-root.crt -sha512 -config /var/opt/CPshrd-R77/conf/openssl.cnf
Be sure to set the common name to your domain only. Common Name (e.g. server FQDN or YOUR name) []: lab.local
6.2 Create SandBlast UserCheck certificate
1) Create Server private key
# cpopenssl genrsa -out sblast.local.key 4096
2) Create certificate signing request
# cpopenssl req -new -key sblast.lab.local.key -sha512 -subj "/C=DE/ST=BY/O=CheckPoint/CN=sblast.lab.local" -config /tmp/sba_openssl.cnf -out sblast.lab.local.csr
3) Create server public certificate
# cpopenssl x509 -req -in sblast.lab.local.csr -CA ca-root.crt -CAkey ca-root.key -CAcreateserial -extensions req_ext -extfile /tmp/sba_openssl.cnf -out sblast.lab.local.crt -days 365 -sha512
4) Convert server certificate to PKCS#12
# cpopenssl pkcs12 -export -in sblast.lab.local.crt -inkey sblast.lab.local.key -out sblast.lab.local.p12 -certfile ca-root.crt
==============================
NOTE: I think the problem might the "RED" font area.
The two important files are "R7730TE.lab.local.p12" and ca-root.crt. It's the ca-root.crt that I'm installing on my labtop/client.
| User | Count |
|---|---|
| 6 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
